i have latest vbulletin forum and it keeps getting hacked all the time.
my vbulletin forum is on a hostmonster server and hacker is even accessing my hosting cpanel and modifying the vbulletin files from inside the server.
i have contacted hostmonster and they told to changed my passwords and i have already done that, and vbulletin says it is hostmonster problem.

how can i protect my computer?
i already have ZoneAlarm firewall but i dont think it is my computer because i have formatted windows like 2 weeks ago and i havent received any files on msn messenger

so i dont know if the problem is vbulletin, hostmonster or my computer but what i know is that hacker has entered my hosting cpanel, but i dont know how he got the password or if he is using a xploit or something.

thanks :(
Posted on 2008-08-16 19:19:34 by SADE
The problem is certainly vbulletin - do you allow users to upload their own avatar images? Theres a known exploit involving jpeg images and php.
Start by checking that your php version is up to date.
Posted on 2008-08-17 00:11:23 by Homer
First: your own personal computer should have nothing to do with the server where your forum is hosted. Installing firewall, antivirus, <whatever> on your own machine isn't going to help anything.

Second: vBulletin is full of security flaws. Grab a better forum, possibly SMF - might not be perfect, but it's certainly the forum we've had the last trouble with.
Posted on 2008-08-17 13:24:15 by f0dder
yes i have the latest vbulletin and i dont remember but i think i let them upload their own avatars, and link their signature images from other sites.

but i wonder is how he knows my hosting site password?
only way is having access to my computer right? even if they have a vbulletin exploit how can he know my hosting password? my vbulletin administrator password is way different than my hosting password. another way could be that he has an exploit to gain access to my hosting cpanel without my password :(.

he is modifying the vbulletin php files, and i dont think an vbulletin exploit can let you edit the php files, so he is doing the editing from inside the hosting cpanel right?

i reason on how he knows my password could be because firefox saves the password somewhere and if he has access to my computer then he can read the password from firefox files ?

Posted on 2008-08-17 14:51:28 by SADE
Obviously, he got the password either from your machine or from the server's machine. If the "hostmonster" says that they don't have any attacks then it's probably someone who has access to your own machine or to your machine's connection (and using Man-in-the-middle attack or simply listening to your packets). Contact your ISP and ask what network topology they're using. Some topologies allow easy listening. Another option is that it's someone from your neighborhood like your brother or something and he is able to guess your password if it's something like your parent's name.

-> contact the hosting server's admin and ask if they had any attacks. Also, kindly ask for last IPs that have logged in to your account. Optionally ask to ban any IPs except your own (possible only if you have fixed IP) or -if your IP is changing- to ban all network ranges except your own (filters out, like, half of the world).
-> Contact your own ISP and confirm whether it is possible for someone to listen to your packets, or not. Use ONLY TLS/SSL/SSH/similiar if it is.
-> Use non-trivial passwords, like: jS_A72jmx7zoLPqo!2hf8xnUAU9@GHS, so your neighbours won't be able to guess it and also difficult to brute-forcely break it, not to mention that it's almost impossible to break it via a dictionary attack.
-> And please DO switch to some other forum software. SMF is pretty secure, IMHO. So, like it's been already said, try installing SMF instead of vBulletin.

corrected some typos
Posted on 2008-08-17 16:49:56 by ti_mo_n
f0dder is correct, we had issues with both vBulletin and phpBB. SMF has been a great overall forum system for us.

If going the SMF route, don't forget about those handy converters that will help you along the way ;)

If you need something a little more streamlined, you may want to check out UseBB.
Posted on 2008-08-17 19:25:22 by SpooK
Linking the images from other hosts is not going to stop that particular exploit from working - it simply means the exploit is a cross-site scripting exploit instead of a local scripting exploit - please check which version of php your host currently has installed, as I believe that the particular exploit I am thinking of only affects older versions of php.. you might get to keep using vbulletin if it turns out that your host is running an older, vulnerable version of php and you manage to convince them to update it :)
Posted on 2008-08-18 04:41:04 by Homer
hacker contacted me and i ask him how get got my password and he replied.

you are the one hacking my forum right
how can you enter to my hostmonster cpanel if you dont have the password?

yeah if wanted to hack you for real you will not return back your site at all ..,you know what im sayin ? ,yeah there is some skills to enter cpanel or FTP without pass.

i thought hostmonster was secure


he recommend me http://www.ovh.co.uk/individual/ :s
but i dont know where to move mi site now, godaddy, hostgator?
Posted on 2008-08-18 15:25:33 by SADE
Posted on 2008-08-18 22:10:26 by SpooK
Reminds me of how a scanlation-group moderator got her site's password changed like that, and she brute-force learned the new password via FTP. Some security...
Posted on 2008-08-21 23:10:57 by Ultrano
What that happened to your website made me scared. Didn't know Hostmonster is so unreliable.
Posted on 2008-08-23 07:22:01 by roticv
Google for hostmonster exploit :D
Seriously, I think this was simply a php exploit, where the php host is misconfigured.
By default, php runs as SYTEM, and if u own it, u own the host, simple as pye.
Posted on 2008-08-23 11:10:10 by Homer